Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008

Authentication and Authorisation Authentication is the establishment of IDENTITY –Your passport is an identity token –Issued by INTERNAL National Authority upon in-person presentation of information (e.g. birth certificate) Authorisation is the establishment of PERMITTED ACTION(S) –An entry visa is an authorisation statement –Issued by EXTERNAL foreign authority upon presentation of specific information (e.g. work permit)

Typical AuthN and AuthZ User registers with University IT Services when they start their course/job –Terms and Conditions form –Present staff/student ID number Means user has been identified to University –User is supplied with Username and Password combination This is the user’s day-to-day digital identity –Issued by a well-known entity (the University) –Satisfies the University’s own registration protocol a trustworthy authentication token…?

Authentication and Authorisation on the Grid Authentication on the Grid is performed through X.509 digital certificates –Issued by a trusted National/Regional Authority a Certification Authority (CA) –Technically, the CA implements a Public Key Infrastructure (PKI) Authorisation on the Grid is performed by… –grid-mapfile, VOMS, PERMIS, OMII-SP CCP, Attribute Certificates (ACs), Akenti, CAS, Active Directory groups…. V O M S

Proxy Certificates X.509 Certificates have interesting properties –Short-lived copies of the original certificate can be made to automatically propagate through the Grid Proxy Certificates –Short-lived to mitigate intruder actions Enables Single Sign-On to Grid –They carry a digital signature that tells if the information contained in the certificates has been tampered –MyProxy is a tool which allows repository access to the certificate via a username/password User doesn’t need to handle the certificate

Multiple Identities A national CA issues a national-level ID –Large footprint, enabling certificate –Not a user’s familiar identity A University issues a local-level ID –Small footprint, only recognised on campus –User is familiar with this identity Both these identities have well-known user registration procedures –But a local identification will ALWAYS be a more authentic token User is known at the institution Home site can revoke privileges faster than a remote site

Shibboleth Shibboleth federates your local identity across a network of trusting sites –Collection of sites managed by a “Federation” Responsible for registering participants and supplying metadata for up-to-date resource info In UK, managed by the UK Access Management Federation –Federation services may be accessed with the user’s home University credentials, regardless of location –Resources no longer need to do user registration –Single Sign-On Solution –Pseudo-anonymous access possible

Shibboleth Shibboleth/SAML defines interactions between –An IDENTITY PROVIDER (IdP) Represents a user’s home institution Asserts user information to the federation –A SERVICE PROVIDER (SP) Represents the resource that is being accessed Consumes the user’s information on behalf of the protected application –An optional Where Are You From? (WAYF) Shibboleth is an Apache module that triggers the SAML mechanism when a protected web directory is requested. mod_shib SP IdP WAYF?

Shibboleth SAML Attributes Shibboleth provides a mechanism for additional information about the user to be securely exported These SAML attributes may be used for authorisation and access control –IdP provides a policy-driven set of user attributes to be transmitted to an SP, which has a separate policy-driven reception policy –These attributes typically hold ACCESS RIGHTS Text String Roles (staff, student, director, minion..) Attribute Certificates (Certs with extra info) –Supports Role-Based Access Control (RBAC)

eduPerson Schema Attempts to standardise a set of core information that can be provided about users –eduPersonAffiliation MEMBER, STUDENT, AFFILIATE –eduPersonTargetedID –eduPersonEntitlement Roles, Privileges (nanoCMOS_webManager) –eduPersonPrincipalName John Watt –Only one that contains revealing information

Shibboleth Operation Enter URL of Service Provider –

Shibboleth Operation Where Are You From? –Select your institution from the drop-down menu –Will be “National e-Science Centre (Glasgow)” for now

Shibboleth Operation Authenticate with username/password

Shibboleth Operation SAML is collecting attributes about the user –Then redirects you to the URL you originally requested…

Shibboleth Operation Logged In

Shibboleth Summary Allows a user’s home University login to be recognised across a national-scale network of trusted sites Provides extra info (attributes) which may be used for access control Single Sign-On to Services User management done at user’s home site Issues: –How to link with national CA credential? –Coordination required between requirements of IdPs and SPs

Authorisation Many ways to do authorisation –UNIX Permissions on account User abilities are enforced by sys admin on single accounts per user –Account accessed through a grid mapfile List of user X.509 DNs and the account they map to Admin nightmare when scaled up –Role Based Access Control Guided by concept that users may come and go from an organisation, but the actual jobs and roles will remain relatively static.

Role Based Access Control (RBAC) TESCO (ALL STORES) ACCESS CONTROL LIST TESCO (ALL STORES) ROLE-BASED ACCESS CONTROL Jim Bowen10% off all goods Richard Whiteley10% off all goods Noel Edmonds10% off all goods Des O’Connor10% off all goods Bob Monkhouse10% off all goods Terry Wogan10% off all goods ……..etc etc etc etc etc etc Loyalty card holder10% off all goods Policy: Give all customers (Jim, Richard, Noel, Des etc….) a Loyalty Card which entitles them to 10% off

Attribute Certificates Shibboleth provides a text string role to a service –Transport is secure and understood –Source of the attribute can never be known Trust of IdP essential, but safeguards needed… Attribute Certificates (ACs) are X.509 certificates with extra information appended –Used to convey text string roles in digital certificate With advantaged X.509 brings –i.e. digital signature, validity information + role Role

Attribute Certificates Many technologies can exploit digitally signed ACs –VOMS Virtual Organisation Management Service –Fully supported by NGS –Involves a central repository managed by a VO admin –PERMIS Privilege and Role Management Infrastructure Standards Validation –Generic PMI (privilege management infrastucture) solution – decentralised –Recognises VOMS ACs, normal X.509, plus XACML response/request

Security Ingredients VOMS

Portals Browser based access to Web/Grid Services –Can hide user from Certificate Management and Operations Command line obscurity Grid middleware atheism Firewall restrictions –Can implement portal side security to complement service-side security Joining of these two domains is another research hot-topic!

The NeSC Model User logs into portal via Shibboleth User’s portal view is filtered according to the SAML attributes presented by the IdP –User can only invoke services they are entitled to attributes

The NeSC Model Portal retrieves non-local credentials from VOMS/PERMIS/MyProxy… –Based on DN info supplied by IdP VOMS (local?)

The NeSC Model Portal exports appropriate credential to desired service NGS VOMS proxy Data Store

The Big Picture Complementary local and external security –Must meet the requirements of the external service Hide user from complex interactions Home InstitutionThe Outside World (Grid, data sources) Portal

Issues Portal side security is well known and present now –UK Federation enables a vast user base Every staff and student in UK academia? A select few…? Challenge lies in bridging the requirements of external services –Are the resources willing to deploy alternate security infrastructures? –Grid enabled? (GT4, OGSA-DAI) –If alternate standard prevalent, can we speak their language?

New Technologies SAML2 Holder-of-key Assertion